MySQL 5.7 root passwordIn this blog, we’ll discuss how to find the MySQL 5.7 root password.

While new MySQL software security features are always welcome, they can impact use and performance. Now by default, MySQL 5.7 creates a password for the root user (among other changes) so the installation itself can be considered secure. It’s a necessary change, but it has confused some customers and users. I see a lot of people on social networks (like Twitter) asking about this change.

So, where is my MySQL 5.7 root password?

The answer depends on the way you have installed MySQL 5.7 or Percona Server 5.7. I am going to show where to find the password depending on the installation method and the distribution used. For all these examples, I assume this is a new installation and you are using the default my.cnf.

Centos/Redhat – RPM Packages.

The password is not shown on screen during the installation. It is in the error log. The autogenerated my.cnf contains this line:

So, there is our password:

Debian/Ubuntu

During the packages installation, you get a prompt asking for the root password. If you don’t set it up, MySQL’s root user is created without a password. We can read the following line in package installation output:

but it is configured with the auth_socket plugin. You will only be able to connect using the UNIX socket, therefore any attempt to connect using your local IP or the network fails. Later on, you can change the password to allow connections from the network (as explained in this blog post).

All distributions – Binary tarball

mysql_install_db has been deprecated since MySQL 5.7.6. You need to use mysqld to initialize all system databases (like mysql, it contains the users and password). You have two ways of doing it:

–initialize: this is the default and recommended option. It will create a mysql database including a random password that will be written in the error log.

If you don’t have error-log directive configured or any my.cnf at all, then it will be in the datadir with host_name.err name.

–initialize-insecure: datadir will be initialized without setting a random password to the root user.

Conclusion

Unfortunately, more security can also add more confusion. Depending on the installation method and distribution, the MySQL 5.7 root password process varies a lot, so keep an eye on the error log after every installation and also watch the installation process output shown on screen. In case you are really lost (or you have removed the error log for some reason), you can still start mysqld with --skip-grant-tables to access the database and change the password.

15 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Vladislav “FractalizeR” Rastrusny

Is it really secure to put passwords to logs? I daresay I doubt very much.

0
Roman Vynar

This is a temporary password which is marked as expired immediately meaning MySQL will ask you to change it on the first login.

0
FractalizeR

I see, thanks.

0
Ruichao Lin

very good post , i met a problem when i deploy muti instance on one host . and one my.cnf pre instance .
initialize like this .
/usr/local/mysql/bin/mysqld –initialize-insecure –basedir=/usr/local/mysql –datadir=/data/mysql3307/data
/usr/local/mysql/bin/mysqld –initialize-insecure –basedir=/usr/local/mysql –datadir=/data/mysql3307/data
. i start the 3306 instance ok . and can run normally , but when i start the second one , i met the error :

2016-05-26T07:45:31.654495Z 0 [Note] Plugin ‘FEDERATED’ is disabled.
mysqld: Table ‘mysql.plugin’ doesn’t exist
2016-05-26T07:45:31.654667Z 0 [ERROR] Can’t open the mysql.plugin table. Please run mysql_upgrade to create it.
2016-05-26T07:45:31.658189Z 0 [Warning] Gtid table is not ready to be used. Table ‘mysql.gtid_executed’ cannot be opened.
2016-05-26T07:45:31.660458Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
2016-05-26T07:45:31.660471Z 0 [Note] Skipping generation of SSL certificates as certificate files are present in data directory.
2016-05-26T07:45:31.667197Z 0 [Warning] CA certificate ca.pem is self signed.
2016-05-26T07:45:31.667260Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
2016-05-26T07:45:31.667353Z 0 [Note] Server hostname (bind-address): ‘*’; port: 3307
2016-05-26T07:45:31.668472Z 0 [Note] IPv6 is not available.
2016-05-26T07:45:31.668549Z 0 [Note] – ‘0.0.0.0’ resolves to ‘0.0.0.0’;
2016-05-26T07:45:31.668562Z 0 [Note] Server socket created on IP: ‘0.0.0.0’.
2016-05-26T07:45:31.669633Z 0 [Warning] Failed to open optimizer cost constant tables

2016-05-26T07:45:31.669709Z 0 [ERROR] Fatal error: Can’t open and lock privilege tables: Table ‘mysql.user’ doesn’t exist
2016-05-26T07:45:31.669746Z 0 [ERROR] Aborting

Do you know how to solve this problem , thanks.

1
Matt

Is there any way around this? I use Puppet to install Percona 5.6 and want to use 5.7 but Puppet will not work because it randomly generates a password, so it can’t connect to configure all the custom permissions we’ve defined.

0
Herrmann

unattended install on debian is a nightmare too

0
Chris Craig

Not at all! For silent install do the following:

apt-get install -q -y debconf-utils
echo “mysql-server mysql-server/root_password password ” | debconf-set-selections
echo “mysql-server mysql-server/root_password_again password ” | debconf-set-selections
apt-get install -y –force-yes mysql-server

After installation you can run mysql commands like so:
“/usr/bin/mysql –defaults-extra-file=/etc/mysql/debian.cnf -e …”

0
Chris Craig

After “password” in the echo string should be some random password, natch. (comment system swallowed my angle bracket placeholder)

0
Fahad Hasan

In my case it is not writing anything to /var/log/mysqld.log.
After some digging, I have found that if I run “/etc/init.d/mysql start”, the temporary password gets printed in the stdout. So I actually had to run the following to be able to follow the official documentation:

/etc/init.d/mysql start > /var/log/mysqld.log 2>&1

I dont know why is it different in my case, I am running a Amazon linux based image in Docker.
Hope this helps someone from wasting hours.

0
Jakim

you saved my day
thanks

0
Karthik M

i have installed Mysql 5.7.18 on my linux machine and i found the default password to login.
due to some error i have uninstalled the package and again freshly installed. but this time i cannot find the default new password in the path where i found the password earlier.

0
Hassan Paknia

In case you want to install mysql or percona unattended (like in my case ansible), you can use following script:

# first part opens mysql log
# second part greps lines with temporary password
# third part picks last line (most recent one)
# last part removes all the line except the password
# the result goes into password variable

password=$(cat /var/log/mysqld.log | grep “A temporary password is generated for” | tail -1 | sed -n ‘s/.*root@localhost: //p’)

# setting new password, you can use $1 and run this script as a file and pass the argument through the script

newPassword=”wh@teverYouLikE”

# resetting temporary password

mysql -uroot -p$password -Bse “ALTER USER ‘root’@’localhost’ IDENTIFIED BY ‘$newPassword’;”

0
Eugene Klimov

for centos/7 workaround


if [[ ! -f /etc/mysql/defaults.cnf ]]; then
MYSQL_ROOT_PASSWD=$(grep "A temporary password is generated for root@localhost:" /var/log/mysqld.log | tail -n 1 | cut -d " " -f 11)
yum install -y pwgen
NEW_MYSQL_ROOT_PASSWD=$(pwgen -y 16 1)
mysql --verbose -u root --password="${MYSQL_ROOT_PASSWD}" --connect-expired-password -Bse "ALTER USER USER() IDENTIFIED BY '${NEW_MYSQL_ROOT_PASSWD}'"
MYSQL_ROOT_PASSWD="${NEW_MYSQL_ROOT_PASSWD}"
echo "[mysql]" > /etc/mysql/defaults.cnf
echo "user=root" >> /etc/mysql/defaults.cnf
echo "password=${MYSQL_ROOT_PASSWD}" >> /etc/mysql/defaults.cnf
fi
mysql --defaults-extra-file=/etc/mysql/defaults.cnf "SHOW DATABASES"

0
Li Chen

you can also check the journalctl output if you start mysqld by systemctl. Like this:

journalctl -xe |grep mysqld |grep temporary

and look for line saying generate temporary password.

This is especially useful on Archlinux family as the mysqld.log is empty for unknown reason.

Hope this can help somebody.

0
KARIM SAD

Thank you very mush

0